ipa/0009-ipa_sidgen-Allow-sidgen_task-to-continue-after-findi.patch
Florence Blanc-Renaud fcc298685a ipa-4.12.1-2
- Resolves: RHEL-46607 kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica
- Resolves: RHEL-46606 ipa-client rpm post script creates always ssh_config.orig even if nothing needs to be changed
- Resolves: RHEL-46605 IPA Web UI not showing replication agreement for non-admin users
- Resolves: RHEL-46592 [RFE] Allow IPA SIDgen task to continue if it finds an entity that SID can't be assigned to
- Resolves: RHEL-46556 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-42705 PSKC.xml issues with ipa_otptoken_import.py

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2024-07-08 19:27:27 +02:00

105 lines
4.1 KiB
Diff

From a8e75bbb77e15e3a42adb2d30933cf9e1edd2f0b Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 11 Jun 2024 10:50:51 +0200
Subject: [PATCH] ipa_sidgen: Allow sidgen_task to continue after finding
issues
find_sid_for_ldap_entry could fail in several ways if a Posix ID can not
be converted to an unused SID. This could happen for example for ducplicate
IDs or user/group out of range.
This change enables ipa_sidgen_task to continue in the error case to try
to convert the entries without errors. The error messages have been
extended to additionally show the DN string for the bad entries.
Fixes: https://pagure.io/freeipa/issue/9618
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 11 ++++++-----
.../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c | 11 ++++++++---
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
index cb763ebf8c733e50483c23856a248eb536c796f1..13f4de5416606df1911f14f60ab1af1a8ba0184b 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
@@ -491,7 +491,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
}
if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) {
- LOG_FATAL("ID value too large.\n");
+ LOG_FATAL("ID value too large on entry [%s].\n", dn_str);
ret = LDAP_CONSTRAINT_VIOLATION;
goto done;
}
@@ -508,7 +508,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
&has_posix_group,
&has_ipa_id_object);
if (ret != 0) {
- LOG_FATAL("Cannot determine objectclasses.\n");
+ LOG_FATAL("Cannot determine objectclasses on entry [%s].\n", dn_str);
goto done;
}
@@ -522,15 +522,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
id = (uid_number != 0) ? uid_number : gid_number;
objectclass_to_add = NULL;
} else {
- LOG_FATAL("Inconsistent objectclasses and attributes, nothing to do.\n");
+ LOG_FATAL("Inconsistent objectclasses and attributes on entry "
+ "[%s], nothing to do.\n", dn_str);
ret = 0;
goto done;
}
ret = find_sid_for_id(id, plugin_id, base_dn, dom_sid, ranges, &sid);
if (ret != 0) {
- LOG_FATAL("Cannot convert Posix ID [%lu] into an unused SID.\n",
- (unsigned long) id);
+ LOG_FATAL("Cannot convert Posix ID [%lu] into an unused SID on "
+ "entry [%s].\n", (unsigned long) id, dn_str);
goto done;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
index 007b1c945d0e37c4061f6a33cfdd667c45118c99..67979cb9fb0b5560009643c84be7eb07d767d77f 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
@@ -89,7 +89,7 @@ static void free_pblock(void *arg)
static int do_work(struct worker_ctx *worker_ctx)
{
Slapi_PBlock *pb;
- int ret;
+ int ret, failures = 0;
size_t c;
char *filter = NULL;
char *attrs[] = { OBJECTCLASS, UID_NUMBER, GID_NUMBER, NULL };
@@ -151,8 +151,7 @@ static int do_work(struct worker_ctx *worker_ctx)
worker_ctx->base_dn, worker_ctx->dom_sid,
worker_ctx->ranges);
if (ret != 0) {
- LOG_FATAL("Cannot add SID to existing entry.\n");
- goto done;
+ failures++;
}
if (worker_ctx->delay != 0) {
@@ -162,6 +161,12 @@ static int do_work(struct worker_ctx *worker_ctx)
}
};
+ ret = failures;
+ if (ret > 0) {
+ LOG_FATAL("Finished with %d failures, please check the log.\n",
+ failures);
+ }
+
done:
slapi_ch_free_string(&filter);
pthread_cleanup_pop(1);
--
2.45.2